Search

EP-3847566-B1 - METHOD FOR SECURING THE USE OF AN APPARATUS OPERATING WITH AN ACCESSORY OR A CONSUMABLE

EP3847566B1EP 3847566 B1EP3847566 B1EP 3847566B1EP-3847566-B1

Inventors

  • DEBELLEIX, OLIVIER
  • DUPAQUIS, VINCENT
  • GUIDET, Tania

Dates

Publication Date
20260513
Application Date
20190903

Claims (12)

  1. A method of controlling a removable peripheral device, comprising: intercepting, by a secure microcircuit (AMC) internal to the peripheral device (P1), a command received by the peripheral device and intended to be executed by a circuit to be controlled (ADV) of the peripheral device, the command being encrypted using a first encryption key (SSK, SKD), performing a mutual authentication procedure between the secure microcircuit and a processor (DMC) of a device (1) in communication with the peripheral device, and if the mutual authentication succeeds: transforming, by the microcircuit, the received command into a command (CMD) executable by the circuit to be controlled, said transformation comprising a decryption of the encrypted command using a second encryption key (SSK, PKD), the encrypted command being correctly decrypted if the second encryption key corresponds to the first encryption key, transmitting, by the microcircuit to the circuit to be controlled, the decrypted command, and executing the decrypted command by the circuit to be controlled.
  2. The method of claim 1, wherein commands (ECM) received by the peripheral device (P1) are systematically decrypted by the microcircuit (AMC).
  3. The method of claim 1 or 2, wherein: the first encryption key and the second encryption key are one and the same key (SSK) of a symmetric encryption algorithm, or the first encryption key is a private key (SKD) of the processor (DMC) and the second encryption key is a public key (PKD) forming with the private key a key pair of an asymmetric encryption algorithm, or the first encryption key comprises a private key (SKD) of the processor (DMC) and a public key (PKA) of the microcircuit (AMC), and the second encryption key comprises a public key (PKD) of the processor, forming with the private key of the processor a key pair of an asymmetric encryption algorithm, and a private key (SKA) of the microcircuit forming with the public key of the microcircuit a key pair of an asymmetric encryption algorithm.
  4. The method of any of claims 1 to 3, further comprising: encrypting, by the microcircuit (AMC), status data (STS) of the circuit to be controlled (ADV), using a third encryption key (SSK, SKA), transmitting the encrypted status data (EST) to the processor (DMC), and receiving and decrypting, by the processor, the encrypted status data, using a fourth encryption key (SSK, PKA), the encrypted status data being correctly decrypted if the fourth encryption key corresponds to the third encryption key.
  5. The method of claim 4, wherein: the third encryption key and the fourth encryption key are one and the same key (SSK) of a symmetric encryption algorithm, or the third encryption key is a private key (SKA) of the microcircuit (AMC) and the fourth encryption key is a public key (PKA) forming with the private key a key pair of an asymmetric encryption algorithm, or the third encryption key comprises a private key (SKA) of the microcircuit (AMC) and a public key (PKD) of the processor (DMC), and the fourth encryption key comprises a public key (PKA) of the microcircuit, forming with the private key of the microcircuit a key pair of an asymmetric encryption algorithm, and a private key (SKD) of the processor, forming with the public key of the processor a key pair of an asymmetric encryption algorithm.
  6. The method of any of claims 1 to 5, wherein the peripheral device (P1) is a consumable, the method further comprising: determining, by the microcircuit (AMC), whether a resource supplied by the peripheral device, of consumable type, is exhausted, and if the resource is determined to be exhausted, rejecting, by the microcircuit, a command to be processed (CMD) intended for the circuit to be controlled (ADV) of the peripheral device, directed at using the resource.
  7. The method of any of claims 1 to 6, further comprising: transmitting, by the processor (DMC) to the microcircuit (AMC), a function (FCT) in the form of executable code to be executed by the microcircuit, and executing, by the microcircuit, the received function.
  8. A removable peripheral device comprising a circuit to be controlled (ADV) capable of processing commands (CMD) received from outside the peripheral device, and a microcircuit (AMC) for authenticating the peripheral device, characterized in that the microcircuit is integrated in the peripheral device and the peripheral device (P1) is configured such that all commands (CMD) intended for the circuit to be controlled (ADV) are intercepted by the microcircuit (AMC), the microcircuit being configured to: perform a mutual authentication procedure with a processor (DMC) of a device (1) in communication with the microcircuit, and if the mutual authentication procedure succeeds, transform a command (ECM) received by the peripheral device in encrypted form into a decrypted command executable by the circuit to be controlled, and transmit the decrypted command to the circuit to be controlled, the microcircuit (AMC) being configured to implement the method of any of claims 1 to 7.
  9. The peripheral device of claim 8, wherein at least a part of the circuit to be controlled (ADV) is enclosed in a secure environment, under the supervision of the microcircuit (AMC), the microcircuit being configured to reject a command (ECM) when a breach of the secure environment is detected.
  10. The peripheral device of claim 8 or 9, wherein the microcircuit (AMC) and at least a part of the circuit to be controlled (ADV) are associated together within an integrated component.
  11. The peripheral device of any of claims 8 to 10, wherein a function normally performed by the processor (DMC) of the device (1) is at least partially offloaded to the microcircuit (AMC), the microcircuit being configured to receive commands capable of triggering the at least partially offloaded function.
  12. The peripheral device of any of claims 8 to 11, wherein at least one link (W2) of a command transmission bus (ADB) between an input of the peripheral device and the circuit to be controlled (ADV) passes through the microcircuit (AMC).

Description

The present invention relates to combating the counterfeiting of accessories or consumables, or more generally, removable peripheral components designed to operate with specific devices. Thus, the invention applies in particular to ink cartridges and toners for printers, refills for perfume diffusers or electronic cigarettes, power supply batteries, headphones or earphones, etc. There is a need to protect the distribution of such peripheral components, in particular to prevent the use of peripheral components of insufficient quality which could damage the devices with which they are used. To control the marketing and/or use of such removable peripheral devices, some devices include a mechanism for authenticating the device. Furthermore, some removable peripheral devices are designed to implement an authentication procedure with the device for which they are intended. The device's authentication of the peripheral device relies on authentication data written or stored by the device. Access to this authentication data must therefore be protected. The level of protection for such authentication data generally corresponds to the cost of the device storing the authentication data, with the understanding that the higher the level of protection, the higher its cost. WO 2009/113286 A1 constitutes the relevant state of the art. The scope of the invention is defined by the independent claims. Several authentication techniques for such peripheral components have been proposed to address this need. These techniques include special marking methods for authentic peripheral components, which may involve holograms. It has also been proposed to associate a secure microcircuit with a peripheral component to store authentication data, connect to a processor in the device, and implement cryptographic functions. The use of such a microcircuit is supposed to offer the The greatest security is offered by such a microcircuit, as it can be very difficult to copy. This type of microcircuit is used to implement an authentication procedure, typically based on a challenge-response protocol. This protocol involves sharing secret data and cryptographic functions between the microcircuit and the processor of the device receiving the peripheral. This solution appears secure if both the microcircuit and the processor involved in the authentication procedure are secure. However, the device's processor is generally not secure. Consequently, if the program executed by this processor is compromised (modified by an unauthorized person), the authentication performed is unreliable. For example, the ink supply in a conventional inkjet printer is managed by the printer's processor, which is generally not secure. The program executed by this processor includes cryptographic functions to authenticate the ink cartridges (or other peripheral components), and control functions that send simple commands to the cartridges and receive status data from them. As a result, the program executed by the printer's processor can be modified to perform the cartridge control functions without first executing the cartridge authentication procedure or without taking into account the result of this authentication procedure. It is therefore advisable to enhance security when using a removable peripheral component with a device, particularly to prevent the device from using an unauthenticated peripheral component. It may also be advisable to prevent the refilling of a consumable peripheral component. Embodiments relate to a method for controlling a removable peripheral component, comprising steps of: intercepting, by an internal secure microcircuit of the peripheral component, a command received by the peripheral component and intended to be executed by a control circuit of the peripheral component; performing a mutual authentication procedure between the secure microcircuit and a processor of a device communicating with the peripheral component; and, if the mutual authentication is successful: transforming, by the microcircuit, a command received in a command executable by the circuit to be controlled, transmit, via the microcircuit to the circuit to be controlled, the transformed command, and execute the transformed command by the circuit to be controlled. According to one embodiment, the process includes steps consisting of: receiving, by the microcircuit, a command to be processed previously encrypted using a first encryption key, decrypting, by the microcircuit, the encrypted command, using a second encryption key, the encrypted command being correctly decrypted if the second encryption key corresponds to the first encryption key, and transmitting, by the microcircuit, the decrypted command to the circuit to be controlled of the peripheral organ. According to one embodiment, the commands received by the peripheral organ are systematically deciphered by the microcircuit. According to one embodiment, the first encryption key and the second encryption key are the same